Commit 3e0a3965 authored Sep 11, 2015 by Jann Horn Committed by Linus Torvalds Jul 16, 2016

xfs: fix type confusion in xfs_ioc_swapext



Without this check, the following XFS_I invocations would return bad
pointers when used on non-XFS inodes (perhaps pointers into preceding
allocator chunks).

This could be used by an attacker to trick xfs_swap_extents into
performing locking operations on attacker-chosen structures in kernel
memory, potentially leading to code execution in the kernel.  (I have
not investigated how likely this is to be usable for an attack in
practice.)

Signed-off-by: Jann Horn <jann@thejh.net>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Dave Chinner <david@fromorbit.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

parent aa93d1fe

fs/xfs/xfs_ioctl.c

+6 −0

Original line number	Diff line number	Diff line
		@@ -1575,6 +1575,12 @@ xfs_ioc_swapext(
		goto out_put_tmp_file;
		}

		if (f.file->f_op != &xfs_file_operations \|\|
		tmp.file->f_op != &xfs_file_operations) {
		error = -EINVAL;
		goto out_put_tmp_file;
		}

		ip = XFS_I(file_inode(f.file));
		tip = XFS_I(file_inode(tmp.file));

Admin message